Note: All password have been replaced or redacted.
I'm trying to create a (rancid repo) account that can use the command "show run" without enabling and using a second password.
Right now, I add user lion with the command "username lion privilege 15 secret raplegend" but when I login as that user with password raplegend, I can't do the "sh run" command without doing
enable
password: reggaegod
Here are the relevant parts of the running-config file. I have replaced password hashes with fake plaintext for convenience.
version 12.2
enable secret 5 [redacted]
!
username snoop privilege 15 secret 5 raplegend
username lion privilege 15 secret 5 raplegend
aaa new-model
!
line con 0
line vty 0 4
password 7 reggaegod
transport input ssh
line vty 5 15
password 7 reggaegod
transport input ssh
!
What am I missing here? Thanks!
I tested this quickly on 12.2(46a), and I needed to add the following to make it work:
Of course, if you're using more than just local accounts (e.g. TACACS+), you'll need to modify the statement to accommodate those accounts. Make sure you test it with another SSH session before logging out of the first one, because you won't be able to login to fix it if it doesn't work.
Also, since aaa new-model is configured, the default configuration for VTY lines is the equivalent of the old local local command, so the password commands should not be needed.
If you're using TACACS or RADIUS then you'll need to pass an av-pair value back for that account to be automatically escalated to enable level. Google TACACS av-pair.